CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-67746
1.30.04%

Terminal Deception: Inside CVE-2025-67746 in Composer

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·5 min read·10 visits

No Known Exploit

Executive Summary (TL;DR)

Composer, the ubiquitous PHP dependency manager, was failing to sanitize remote package metadata before printing it to the console. This allowed attackers to inject ANSI escape sequences into package names or descriptions. While the CVSS score is a measly 1.3, the practical implication is that a malicious package could rewrite your terminal history, hide critical security warnings during a `composer audit`, or even crash your terminal emulator. The fix involves a hefty regex to strip control characters.

A deep dive into how ANSI sequence injection allows malicious PHP packages to manipulate your terminal output, hiding warnings and spoofing success messages.

Official Patches

ComposerComposer 2.9.3 Release Notes
ComposerComposer 2.2.26 Release Notes

Fix Analysis (2)

Technical Appendix

CVSS Score
1.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Probability
0.04%
Top 88% most exploited

Affected Systems

Composer 2.0.0 < 2.2.26Composer 2.3.0 < 2.9.3

Affected Versions Detail

Product
Affected Versions
Fixed Version
Composer
Composer
>= 2.0.0, < 2.2.262.2.26
Composer
Composer
>= 2.3.0, < 2.9.32.9.3
AttributeDetail
CWE IDCWE-74
Attack VectorNetwork (Package Metadata)
CVSS Score1.3 (Low)
ImpactIntegrity (Output Manipulation)
Exploit StatusPoC Possible (No Active Exploitation)
Affected ComponentComposer ConsoleIO

MITRE ATT&CK Mapping

T1036Masquerading
Defense Evasion
T1491Defacement
Impact
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as commands when sent to a downstream component.

Vulnerability Timeline

Vulnerability Discovered
2025-01-XX
Patches Released (2.2.26, 2.9.3)
2025-02-XX
CVE-2025-67746 Assigned
2025-02-XX

References & Sources

  • [1]GitHub Security Advisory: ANSI Injection in Composer

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.